Hello, I need to divide bandwidth between several clients connected through IPSEC. I found this article: https://jve.linuxwall.info/blog/index.php?post/2010/10/16/How-can-I-do-traffic-shaping-in-Linux-by-IP But my requirements are a little bit more complicated and I need some additional advices. == How to assign MARK to a new client == 1) I have not the only one, but several clients who are dynamically connecting and receiving IPs. How can I assign firewall mark/class ids? My current idea is to store mark in the shared memory and increment it with every new client. Sounds relatively complicated. I can do it, but may be there is a simpler solution? Any other ideas are welcome. Other approach I am aware of is to make a hash from IP address. In this case hash will be 16 bits (range for tc class id) while IP contains 32 bit. Does not look that good. == Filters / Classificators == 2) I want to have two classes per VPN client. One for priority traffic and another for everything else. I use two marks to achieve this - MARKFW_ONE and MARKFW_TWO 2.1 SSH traffic: put into priority queue (ssh but NOT scp): iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp -m tos --tos 0x10 -j CONNMARK --set-mark ${MARKFW_ONE} 2.2 ICMP: put into priority queue: iptables -t mangle -A INPUT -i $DEV -s $IP -p icmp -j CONNMARK --set-mark ${MARKFW_ONE} 2.3 To speed up downloads while an upload is going on, put ACK packets in priority class: iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK -j CONNMARK --set-mark ${MARKFW_ONE} 2.4 Everything else: iptables -t mangle -A INPUT -i $DEV -s ${IP} -j CONNMARK --set-mark ${MARKFW_TWO} And at the end: # Propagate netfilter marks on connections iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark Questions are : - 2.3: It looks like I am wrong here because this rule shall mark the whole connection, not the packet. Shall I simply use -j MARK in this case? - 2.2: Shall I replace -j CONNMARK with -j MARK for ICMP case? - 2.1 - 2.4. Can I use -j CLASSIFY target instead of marking the packets and connections? I am under impression that I can use it for the case 2.2 and may be 2.3 but NOT in other cases when connection shall be marked. - 2.1: Is it a proper way to identify ssh traffic (and not scp)? Thanks in advance! -- WBR & WBW, Vitaly -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html